MD5: 1b54b6b8d4da73b845ac3a1e80b60aae
SHA1: 3e7ada9f65769a8520ab277d1ab66dc1ce6dd4ba
SHA256: d254ed59a3d5f01ecd816acbe635e77a5fb1777f2edbe294c4ef2f889080e1ae
SSDeep: 12288:wxqxxGxcoCUyZtwAvAs4wTCyrPT0yq0VezaOvoJpaz/g/J/vVoS:DEfty/wAvN7lry0VeH8az/g/J/No
Size: 1072640 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: GreenApp
Created at: 2009-02-21 14:56:21
Analyzed on: WindowsXP SP3 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

Process activity

The Backdoor creates the following process(es):

taskkill.exe:1300
taskkill.exe:1596
taskkill.exe:1072
taskkill.exe:1540
sc.exe:1256
sc.exe:2016
rundll32.exe:272
cacls.exe:1436
cacls.exe:452

The Backdoor injects its code into the following process(es):

%original file name%.exe:176

File activity

The process %original file name%.exe:176 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (94139 bytes)
C:\ (4 bytes)
%System%\killkb.dll (19943351 bytes)
%System%\CatRoot2 (96 bytes)
%System%\wbem\Repository\FS\INDEX.MAP (4 bytes)
%System%\wbem\Repository\FS\OBJECTS.MAP (12 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%System%\drivers\etc\hosts (5 bytes)
C:\$Directory (28 bytes)
%WinDir%\inf (400 bytes)
%WinDir%update.dll (35198910 bytes)
%System%\config\systemprofile (4 bytes)
%Program Files%\COMMON FILES (4 bytes)
%System%\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} (4 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%System%\config (8 bytes)
%WinDir%\Temp\Perflib_Perfdata_7ac.dat (4 bytes)
%System%\wbem (480 bytes)
%System%\drivers (8 bytes)
%System%\wbem\Logs\wbemcore.log (344 bytes)
%System%\wbem\Repository\FS\INDEX.BTR (4543 bytes)
%System%\wbem\Repository\FS\MAPPING1.MAP (204 bytes)
%Documents and Settings%\%current user% (4 bytes)
%System% (1824 bytes)

The process rundll32.exe:272 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%System%\drivers\acpiec.sys (6 bytes)

Registry activity

The process taskkill.exe:1300 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 A9 6A 43 AF 19 D3 E9 AF 9C 9C FF 19 0A D2 72"

The process taskkill.exe:1596 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 80 10 18 AF 38 56 ED 50 3A 7C FE EC 38 63 93"

The process taskkill.exe:1072 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 EF CA 3F 8D 70 65 25 B4 45 B8 ED BB F6 2B 7B"

The process taskkill.exe:1540 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 2D CA E0 4C 1E 11 71 FA C7 E6 88 16 12 3B 00"

The process sc.exe:1256 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 13 DD 37 EA A9 C6 F7 47 32 40 95 29 03 72 66"

The process sc.exe:2016 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 5E 86 70 FC CC 7D CB A0 88 E8 81 0E D7 CE 2B"

The process rundll32.exe:272 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 01 5C E1 AA A8 59 EA 8A D6 94 C7 FC 53 E3 B7"

The process cacls.exe:1436 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 31 7C DA 6B 50 11 E5 D3 F7 63 F5 EC B2 90 AC"

The process cacls.exe:452 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 53 CE C2 9A 51 17 40 46 D9 D9 85 68 C0 B8 4B"

Dropped PE files

HOSTS file anomalies

The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The Backdoor installs the following kernel-mode hooks:

ZwQuerySystemInformation

Using the driver "%System%\drivers\pcidump.sys" the Backdoor substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
ahei8.3322.org

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

.text

`.rdata

@.data

.rsrc

KERNEL32.DLL

MSVCRT.dll

GetWindowsDirectoryA

WinExec

o12aSkSLyZo7kdksl4uqJBocm6mmSg xO1VNRlYj6LC0ThFKJ4oooAAA

o12aSkSLyZo7kdksl4uqJBocm6mmSg xO1VNRlbSCTGZGV4Hc1qMPBiUDYwA

update.dll

cmd /c taskkill /im avp.exe /f

cmd /c sc config avp start= disabled

rundll32.exe %s, droqp

\system32\killkb.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cmd /c cacls "%s" /e /p everyone:f

cmd /c cacls %s /e /p everyone:f

*m5<-%C

URLDownloadToCacheFileA

>w<$r%x<$r%s<$c

gsso9..khki-tr.`abc-dwd

FdsShbjBntms

EhmcMdwsEhkd@

Lctcp

GmdA_jjBpgtcp

GmBpgtcpM`hcarRwnc

016-/-/-0

016-/-/-1

016-/-/-2

016-/-/-/

010-03-0/0-57

016-0-0-0

016-/-0-0

50-017-060-00497/7/

010-00-8/-68

014-8/-77-27

1/3-066-81-57

10/-63-034-125

10/-65-/-022

108-018-128-11/

50-055-21-1

108-042-3/-110

107-81-075-16

108-042-35-16

108-042-41-012

110-084-31-60

111-62-107-004

1/2-00/-057-12297/

1/2-00/-057-11097/

48-23-020-43

10/-40-34-4

48-23-087-117

48-23-087-77

48-23-087-86

5/-08/-003-0/0

5/-08/-107-23

5/-080-013-141

50-034-006-101

50-046-0/8-111

64-015-2-105

64-015-2-106

64-015-2-107

48-014-120-066906666

64-015-2-11/

64-015-2-110

64-015-2-111

%original file name%.exe_176_rwx_10000000_00001000:

.data

.rsrc

@.reloc

\pipe\browser

\\%s\IPC$

Bd

psapi.dll

\patch.exe

\dstdisk.exe

\defence.exe

192yuioealdjfiefjsdfas.txt

%SystemRoot%\System32\DRIVERS\puid.sys

\drivers\pcidump.sys

System32\DRIVERS\pcidump.sys

%SystemRoot%\system32\drivers\puid.sys

\\.\pcidump

\drivers\gm.dls

%s%d.txt

>>tmp.tmp

@echo rcx>>tmp.tmp

@echo %X>>tmp.tmp

@echo n tmp2>>tmp.tmp

@echo w>>tmp.tmp

@echo q>>tmp.tmp

@debugnul

@rename tmp2 tmp2.exe

tmp2.exe

Windows

1.exe

autorun.inf

Open=1.exe

urlmon

\setup.exe

?x=%s&y=%s&t=%d

iexplore.exe

.html

.hhqg

qq.exe

360safe.exe

\explorer.exe

\temp\explorer.exe

10fect_exe

%original file name%.exe_176_rwx_1000A000_00001000:

\??\c:\%original file name%.exe

\??\%WinDir%\explorer.exe

ers\gm.dls

rundll32.exe_272:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

iexplore.exe_1628:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   taskkill.exe:1300
   taskkill.exe:1596
   taskkill.exe:1072
   taskkill.exe:1540
   sc.exe:1256
   sc.exe:2016
   rundll32.exe:272
   cacls.exe:1436
   cacls.exe:452

3. Delete the original Backdoor file.
   
4. Delete or disinfect the following files created/modified by the Backdoor:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\test.pml (94139 bytes)
   %System%\killkb.dll (19943351 bytes)
   %System%\CatRoot2 (96 bytes)
   %System%\wbem\Repository\FS\INDEX.MAP (4 bytes)
   %System%\wbem\Repository\FS\OBJECTS.MAP (12 bytes)
   %System%\config\systemprofile\Application Data\Microsoft (4 bytes)
   %System%\drivers\etc\hosts (5 bytes)
   C:\$Directory (28 bytes)
   %WinDir%\inf (400 bytes)
   %WinDir%update.dll (35198910 bytes)
   %Program Files%\COMMON FILES (4 bytes)
   %System%\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} (4 bytes)
   %System%\drivers\pcidump.sys (5404535 bytes)
   %WinDir%\Temp\Perflib_Perfdata_7ac.dat (4 bytes)
   %System%\wbem\Logs\wbemcore.log (344 bytes)
   %System%\wbem\Repository\FS\INDEX.BTR (4543 bytes)
   %System%\wbem\Repository\FS\MAPPING1.MAP (204 bytes)
   %System%\drivers\acpiec.sys (6 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
8. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.